Merge pull request #483 from fmount/scc_dbsync

Do not run db-sync as root

Author: openshift-merge-bot[bot]

pkg/glance/const.go

@@ -46,12 +46,14 @@ const (
 	// PvcImageConv is used to define a PVC mounted for image conversion purposes
 	// when Ceph is detected as a backend
 	PvcImageConv PvcType = "imageConv"
-
 	// GlancePublicPort -
 	GlancePublicPort int32 = 9292
 	// GlanceInternalPort -
 	GlanceInternalPort int32 = 9292
-
+	// GlanceUID - https://github.com/openstack/kolla/blob/master/kolla/common/users.py
+	GlanceUID int64 = 42415
+	// GlanceGid - https://github.com/openstack/kolla/blob/master/kolla/common/users.py
+	GlanceGID int64 = 42415
 	// DefaultsConfigFileName -
 	DefaultsConfigFileName = "00-config.conf"
 	// CustomConfigFileName -
@@ -90,6 +92,9 @@ const (
 	CachePruner CronJobType = "pruner"
 	//ImageCacheDir -
 	ImageCacheDir = "/var/lib/glance/image-cache"
+
+	// GlanceDBSyncCommand -
+	GlanceDBSyncCommand = "/usr/local/bin/kolla_start"
 	// GlanceManage base command (required for DBPurge)
 	GlanceManage = "/usr/bin/glance-manage"
 	// GlanceCacheCleaner -

pkg/glance/dbsync.go

@@ -17,25 +17,18 @@ package glance
 
 import (
 	glancev1 "github.com/openstack-k8s-operators/glance-operator/api/v1beta1"
-
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	// DBSyncCommand -
-	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
-)
-
 // DbSyncJob func
 func DbSyncJob(
 	instance *glancev1.Glance,
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
 	var config0644AccessMode int32 = 0644
 
 	// Unlike the individual glanceAPI services, the DbSyncJob doesn't need a
@@ -104,7 +97,7 @@ func DbSyncJob(
 		}
 	}
 
-	args := []string{"-c", DBSyncCommand}
+	args := []string{"-c", GlanceDBSyncCommand}
 	envVars := map[string]env.Setter{}
 	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVars["KOLLA_BOOTSTRAP"] = env.SetValue("true")
@@ -129,13 +122,11 @@ func DbSyncJob(
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: dbSyncMounts,
+							Args:            args,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: glanceSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    dbSyncMounts,
 						},
 					},
 				},

pkg/glance/funcs.go

@@ -2,6 +2,7 @@ package glance
 
 import (
 	glancev1 "github.com/openstack-k8s-operators/glance-operator/api/v1beta1"
+	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"strings"
 )
@@ -53,3 +54,22 @@ func GetGlanceAPIName(name string) string {
 	}
 	return api
 }
+
+// glanceSecurityContext - currently used to make sure we don't run db-sync as
+// root user
+func glanceSecurityContext() *corev1.SecurityContext {
+	trueVal := true
+	runAsUser := int64(GlanceUID)
+	runAsGroup := int64(GlanceGID)
+
+	return &corev1.SecurityContext{
+		RunAsUser:    &runAsUser,
+		RunAsGroup:   &runAsGroup,
+		RunAsNonRoot: &trueVal,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"MKNOD",
+			},
+		},
+	}
+}